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DETAILED ACTION 

1. This action is responsive to communication: original application filed 28 June 2001, with 
acknowledgement of continuing filing date of 17 January 2001. 

2. Claims 1-10 and 12-20 are currently pending in this application. Claims 1, 7, and 14 are 
independent claims. No claim 1 1 was present in application. 

3. The title of the invention is not descriptive. A new title is required that is clearly 
indicative of the invention to which the claims are directed. Although the invention is related to 
patent application, 09/895,560 Method for pre-authentication of users using one-time 
passwords", the claims in the invention do not use the term "one-time password" and are directed 
to an authentication system. 

The following title is suggested: An authentication system utilizing challenges and public 
key cryptography. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious at the 
time the invention was made to a person having ordinary skill in the art to which said subject matter 
pertains. Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-4, 6-10 and 12-17, and 20, are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Yatsukawa U.S. Patent No. 6,148,404 (hereinafter '404) in further view of 
Baskey et al. U.S. Patent No. 6,732,269 (hereinafter '269). 
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As to independent claim 1, "A computer program product for a client computing 
system including a processor includes: code that directs the processor to request a 
challenge from an authentication server; code that directs the processor to receive the 
challenge from the authentication server" and "wherein the authentication server activates 
the identity code when the digital signature is verified, and wherein the codes reside on a 
tangible media" is taught in '404 col. 12, lines 39-67 "the present invention provides an 
authentication terminal apparatus for granting authentication to an authentication request sent 
by an authentication requester via a storage medium, in support of an external authentication 
server, comprising: a main body; and means for accepting a storage medium storing: seed data 
used for generating authentication data to authenticate an authentication requester, a secret key 
of the authentication requester and a program for generating authentication data based on the 
seed data utilizing the secret key"; 

"the challenge comprising an identity code; code that directs the processor to 
receive user authentication data from a user; code that directs the processor to determine 
a private key and a digital certificate in response to the user authentication data; code that 
directs the processor to form a digital signature in response to the identity code and the 
private key; code that directs the processor to communicate the digital signature to the 
authentication server, code that directs the processor to communicate the digital 
certificate to the authentication server, the digital certificate comprising a public key in an 
encrypted form; and code that directs the processor to communicate network user 
authentication data and the identity code to the authentication server via a security 
server" is shown in '404 col. 20, lines 11-31 "In the example shown in FIG. 16, it is a 
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precondition that the server obtains a public-key certificate of the client X at each log-in. In 
other words, the client sends the server, for instance, the public-key certificate 
CK.sub.px of the client X along with the authentication data. When the authentication 
processing program 104 at the server side receives a log-in message of a client X, the program 
104 returns an authentication data request message to the client. When the program 14 receives 
authentication data transmitted by the client X in response to the message, the program 104 
inspects a digital signature of the certification authority (CA), which is added to the public-key 
certificate of the client X, by utilizing a public key K.sub.pc (stored in the file 107) of the CA. 
If the inspection result shows that the digital signature is authentic, the program 104 verifies 
that the public-key certificate is the authentic public-key certificate of the client X. The public- 
key certificate CK.sub.px of the client X is stored in the inspection data file 105. The 
deciphering processing program 106 accesses the inspection data file 105 and derives the public 
key K.sub.px of the client X included in the public-key certificate CK.sub.px"; 
the following is not taught in '404 "via a first secure communication channel" however '269 
teaches "" in col. 2, lines 21-40 "These and other objects of the present invention may be 
provided by methods, systems, and computer program products which communicate between 
client applications and a transaction server by establish a persistent secure connection between 
the transaction server and a Secure Socket Layer (SSL) proxy server"; 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the teachings of '404 a method for authenticating users utilizing public/private key 
cryptography to include a means to utilize a secure socket layer. One of ordinary skill in the art 
would have been motivated to perform such a modification to because as network 
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communication improves a need exist to maintain with security communication standards 
available. As indicated by '269 (see col. 1 5 lines 13 et seq.) " In communications between a 
client and a server, it is often beneficial to provide increased security. One mechanism for 
providing increased security is through the use of the Secure Socket Layer (SSL) protocol. FIG. 
1 illustrates a conventional SSL connection between a client 10 and a server 12. As seen in 
FIG. 1, the client 10 communicates directly with the server 12 utilizing the SSL connection". 

As to dependent claim 2, "wherein the identity code remains inactivate when the 
authentication server does not verify the digital signature" is disclosed in '404 col. 20, lines 
11-31. 

As to dependent claim 3, "wherein the security server comprises a server selected 
from the class firewall server, VPN gateway server" is shown in '269 col. 5, lines 38-57 
"other forms of secure connection may be utilized, such as, for example, a Virtual Private 
Network (VPN) tunnel, Internet Protocol Security (IPSEC)". 

As to dependent claim 4, "wherein code that directs the processor to determine the 
private key and the digital certificate in response to the user authentication data 
comprises code that directs the processor to determine a private key associated with the 
user when the user authentication data is correct" is disclosed in '404 col. 20, lines 11-31. 

As to dependent claim 6, "further comprising code that directs the processor to 
receive network user authentication data from the user" is taught in '404 col. 12, 
lines 39-67. 

As to dependent claim 7, "wherein code that directs the processor to receive user 
authentication data from a user comprises code that directs the processor to receive user 
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authentication data and the network authentication data from the user" is shown in '404 
col. 12, lines 39-67. 

As to independent claim 8, "A client computing system for communicating with a 
private server includes: a tangible memory configured to store a key wallet" is taught in 
'404 col. 12, lines 39-67 

' "the key wallet including a private key associated with the user and a digital 
certificate associated with a user, the private key and digital certificate stored in an 
encrypted form; a processor coupled to the tangible memory, the processor configured to 
receive a challenge from an authentication server" and "the challenge comprising an 
identity code, configured to receive user authentication data from the user, configured to 
determine a retrieved private key and a retrieved digital certificate from the key wallet in 
response to the user authentication data from the user; configured to form a digital 
signature in response to the identity code and the retrieved private key, configured to 
communicate the digital signature to the authentication server, configured to 
communicate the digital certificate to the authentication server, and configured to 
communicate network user authentication data and the identity code to the authentication 
server via a security server, wherein the authentication server activates the identity code 
when the digital signature is verified, and wherein the security server allows the client 
computing system to communicate with the private server when the identity code is 
activated" " is shown in '404 col. 20, lines 11-31 

the following is not taught in '404 "via a first secure communication channel" however '269 
teaches "These and other objects of the present invention may be provided by methods, 
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systems, and computer program products which communicate between client applications and a 
transaction server by establish a persistent secure connection between the transaction server and 
a Secure Socket Layer (SSL) proxy server" in col. 2, lines 21-40. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the teachings of '404 a method for authenticating users utilizing public/private key 
cryptography to include a means to utilize a secure socket layer. One of ordinary skill in the art 
would have been motivated to perform such a modification to because as network 
communication improves a need exist to maintain with security communication standards 
available. As indicated by '269 (see col. 1, lines 13 et seq.) " In communications between a 
client and a server, it is often beneficial to provide increased security. One mechanism for 
providing increased security is through the use of the Secure Socket Layer (SSL) protocol. FIG. 
1 illustrates a conventional SSL connection between a client 10 and a server 12. As seen in 
FIG. 1, the client 10 communicates directly with the server 12 utilizing the SSL connection". 

As to dependent claim 9, "wherein the retrieved private key and the private key 
associated with the user are identical" is taught in '404 col. 11, lines 40-50 "the authenticator 
deciphers the received authentication data sent by the requester by using a public key of the 
authentication requester, and compares the deciphered data with inspection data . . . inspecting 
whether or not they are coincident". 

As to dependent claim 10, "wherein the retrieved private key and the private key 
associated with the user are different, and wherein when the retrieved private key and the 
private key associated with the user are different the identity code remains inactive" is 
shown in 6 404 col. 18, lines 9-21 "Log-in is granted only when the deciphered data coincides 
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with inspection data which has been stored at the authenticator's side. Accordingly, as long as, 
a client securely keeps his/her own secret key, a third person who has any or all) of the 
authentication data ... is unable to "masquerade" as the authentic client". 

As to dependent claim 12, "wherein the security server comprises a server selected 
from the class firewall server, VPN gateway server, electronic mail server, web server, 
database server, database system, application server" is disclosed in '269 col. 5, lines 38-57. 

As to dependent claim 13, "wherein the tangible memory can be removed from the 
client computer" is taught in '404 col. 20, lines 58-63 "Therefore, in the second modified 
example, the secret key K s is stored in an IC card instead of the client terminal, enabling the 
client X to carry around the IC card". 

As to dependent claim 14, "wherein the processor is also configured to receive the 
network user authentication data from the user" is shown in c 404 col. 12, lines 39-67. 

As to independent claim 15, this claim incorporates substantially similar subject matter 
as claims 1 and 8; therefore it is rejected along the same rationale. 

As to dependent claim 16 and 17, these claims are substantially similar to claim 9 and 
10; therefore they are rejected along the same rationale. 

As to dependent claim 20, "wherein the client computing system is selected from the 
class desktop computer, portable computer, PDA, wireless device" is shown in c 404 col. 21, 
lines 61-67 " More specifically, the system at the client side may be a general-purpose personal 
computer, and the personal computer may be used by persons other than the client X. In 
addition, any terminal can be used as the client's main apparatus as long as the terminal is 
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capable of interfacing with an IC card. Accordingly, for instance, remote log-in or the like 
using a portable terminal is enabled from outside". 

6. Claims 18 and 19, are rejected under 35 U.S.C. 103(a) as being unpatentable over '404 
in further view of '269 in further view of Chang et al. U.S. Patent No. 6,715,082 (hereinafter 
6 082). 

As to dependent claim 18, the following is not taught in the combination of '404 and 
'269: "further comprising means for receiving at least a network password associated with 
the user from the user, wherein the means for communicating the digital certificate and 
the digital signature to the authentication server also comprise means for communicating 
the network password associated with the user to the authentication server" however '082 
teaches "A method and apparatus for validating access to a network system is disclosed ... In 
response to entering the username and one-time password, a user authorization phase is 
performed to determine whether a session should be established for the particular user" in 
col. 4, lines 10-43". 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the teachings of '404 and '269 a method for authenticating users utilizing 
public/private key cryptography with SSL to include a means to authenticate a network 
password. One of ordinary skill in the art would have been motivated to perform such a 
modification because many computer networks have a desire to provide remote access. As 
indicated by '082 (see col. 1, lines 17 et seq.) "A network system generally includes a number 
of network devices, such as switches, routers, and other connected so as to allow 
communication among the devices . . . Many companies have a desire to provide remote access 
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to their computer networks. By allowing remote access, individuals can connect to the 
computer network to use it to work and obtain resource information while located at a remote 
site". 

As to dependent claim 19, "wherein the means for communicating the digital 
certificate and the digital signature to the authentication server also comprise means for 
communicating a network password associated with the user to the authentication server; 
the client system further comprising means for determining the network password 
associated with the user in response to at least the PIN from the user" is taught in '082 
col. 4, lines 10-43". 

7. Claim 5, is rejected under 35 U.S.C. 103(a) as-being unpatentable over '404 in further 
view of '269 in further view of Arthan et al. U.S. Patent No. 6,782,103 (hereinafter '103). 

As to dependent claim 5, the following is not taught in '404 and '269 "wherein code 
that directs the processor to determine the private key and the digital certificate in 
response to the user authentication data further comprises code that directs the processor 
to determine a private key not associated with the user when the user authentication data 
is incorrect" however '103 teaches "If a key becomes compromised, then good cryptographic 
practice dictates that operational use of that key be suspended. The key then needs to be 
changed so that business can proceed using new uncompromised key" in col. 3, lines 9-17. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify the teachings of '404 and '269 a method for authenticating users utilizing 
public/private key cryptography with SSL to include a means to change private key when 
authentication is incorrect. One of ordinary skill in the art would have been motivated to 
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perform such a modification to because it is good practice to change keys when data becomes 
compromised. As indicated by ' 103 (see col. 1, lines 50 et seq.) "Good cryptographic practice 
requires all keys be changed at regular intervals, but if a key becomes compromised then it 
needs to be changed at other than the appropriate regular interval". 



8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is 
(571) 272-3842. The examiner can normally be reached from 6:30 am to 3:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory A Morse can be reached on (571) 272-3838. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Ellen Tran 
Patent Examiner 
Technology Center 2134 

03 November 2004 ^ ~ * 



Conclusion 





